This detection rule identifies potential unauthorized access to user accounts in Okta by flagging instances where a single user has initiated multiple sessions with different session IDs. Such behavior may suggest that an attacker has compromised the user's session cookie and is using it to access the account concurrently from various locations. The rule utilizes the `event.dataset:okta.system` to monitor session start events and requires that the session's external session ID must exist while filtering out legitimate system actors. This is critical for detecting lateral movement by leveraging compromised user sessions. Investigation steps include reviewing Okta logs for unusual patterns in session initiations, checking geolocation for unusual access, and confirming with the user to verify the legitimacy of detected sessions. Potential false positives include legitimate multi-device usage or valid travel, which should be accounted for in the operational procedures. Remedial actions include securing the affected account by terminating active sessions and implementing MFA to strengthen security against further unauthorized access.